Microsoft: 'We won't charge to fix vulnerabilities'

The software giant has promised not to charge for security fixes, but has said it will charge for virus protection

Microsoft has witnessed an improvement in the way people are securing their computers.

Speaking at the company's TechEd conference in Amsterdam on Tuesday, Detlef Eckert, chief security advisor for Microsoft, said although the level of hacking and virus attacks remains constant, people are being more vigilant about online threats.

Eckert told ZDNet UK sister site "While the attacks are not going down and the network worms are still a risk, society at large has got better. What we sense is a shift of the professional criminal attacks. They are more targeted and they go on the premise 'how do we get money?' They are phishing attacks that look for bank details, espionage attacks that use Trojans or botnets that do denial-of-service attacks."

However, Mario Juarez, product manager of security for Microsoft, said that only one in three people using Windows XP in the US had downloaded Service Pack 2, which tightens security on the operating system: "We know that the percentage of people using Windows XP SP 2 is lower than we would like it to be. One in three machines that run Windows XP is running SP 2. Customers are still reluctant to upgrade."

Microsoft has recently completed the acquisition of antivirus company Sybari and launched an anti-spyware service which it says 20 million people worldwide have signed up for. Some of the anti-spyware services will be provided for free but Eckert said the antivirus product will continue to be sold.

While Microsoft currently provides free patches for vulnerabilities in Windows, Eckert said Sybari's software would carry a cost because viruses were completely unrelated to its software flaws.

"We are not charging the user for anything related to vulnerabilities," Eckert said. "There are companies that charge for updates or services. There are virus attacks that are not related to vulnerabilities but exploit user behaviour. The virus attacks look at system or user log traffic. They use port 80 or HTTP as a way to attack companies. They get into the Web server and attack you directly."

But last week antivirus expert Graham Cluley of Sophos stressed that Windows was one of the greatest problems in the antivirus world.

Cluley said: "I believe that right now the real threat is on Windows computers and servers. Last month we saw more malware and most of them targeted Windows. Today there is a 50 percent chance you will get infected in eight minutes of plugging into broadband. It's [home] users — the businesses are patching themselves — they are the ones who are spreading it about."

When asked if it was fair to charge customers for antivirus products that secure flaws in Windows, Microsoft's Juarez said: "It's about philosophy. There is an inherent premise in the issue of propriety of charging for security that resonates in an interesting way. Customers are really keen on being protected. Our principal interest is providing the means for customers to stay secure.

"It's about making the entire ecosystem safer. As Microsoft we think on a global level of what keeps the Internet safe. We need to be sure that the world is safe."